Backport of [Security] Close cross scripting vulnerability into release/1.19.x (#21346)

* backport of commit c8cb3349fe * backport of commit 262efd8f15 --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
2024-06-17 14:05:02 -07:00 · 2024-06-17 14:05:02 -07:00 · a1ee7cb38b
parent 09538e62b1
commit a1ee7cb38b
2 changed files with 4 additions and 1 deletions
--- a/.changelog/21342.txt
+++ b/.changelog/21342.txt
@ -0,0 +1,3 @@
+```release-note:security
+agent: removed reflected cross-site scripting vulnerability
+```
--- a/agent/kvs_endpoint.go
+++ b/agent/kvs_endpoint.go
@ -293,7 +293,7 @@ func conflictingFlags(resp http.ResponseWriter, req *http.Request, flags ...stri
 		if _, ok := params[conflict]; ok {
 			if found {
 				resp.WriteHeader(http.StatusBadRequest)
-				fmt.Fprint(resp, "Conflicting flags: "+params.Encode())
+				fmt.Fprintf(resp, "Conflicting flags: %v\n", params.Encode())
 				return true
 			}
 			found = true